Module 5 - Storage & Transfer

Question 1

What are the 3 kinds of storage? What AWS services handle each?

Answer 1

Block (EBS, instance store)
File (AWS EFS, FSx)
Object (S3, Glacier)

Question 2

What are some ways to migrate data online?

Answer 2

AWS Storage Gateway
Kinesis (Firehose and Streams)
DataSync
S3 Transfer Acceleration
AWS Direct Connect

Question 3

What are some ways to migrate data offline?

Answer 3

AWS Snow family

Question 4

What is AWS S3? How do you change data?

Answer 4

Simple Storage Service. It is object-level storage, meaning if you want to change a part of a file, you must make the change and then reupload the entire modified file. Max 5TB per file.

Question 5

How can you access S3?

Answer 5

Through the web-based AWS Management Console,

or programmatically through the API and SDKs

Question 6

What is an S3 object made up of?

Answer 6

• key (full path to file including folders),
• the file itself (value),
• version ID (if enabled)
• any metadata that describes the file (key/value pairs),
• tags (Unicode key/value pair, for security/lifecycle)

Question 7

Identify the parts of this S3 URL

http://doc.s3-us-west-1.amazonaws.com/2006-03-01/AmazonS3.html

Answer 7

“doc” is the NAME of the bucket
“2006-03-01/AmazonS3.html” is the KEY
(“2006-03-01/” in the object key is called the PREFIX)

Question 8

How do buckets work?

How many buckets can an account have?

Answer 8

• Objects are stored in buckets.
• 1 AWS account can have 1-100 buckets.
• You can choose one REGION and control access.
You can access bucket logs.

Question 9

How do you control access to a bucket? What is the default access to a bucket?

Answer 9

Everything is PRIVATE by default. The account that created the resource can grant permissions by writing access policies (CONTROLLED ACCESS).
You can also make it PUBLIC if necessary (uncommon).

Question 10

How do you make sure your buckets are never exposed to public access?

Answer 10

Turn on “block all public access” at the account level. These settings apply account-wide for all current and future buckets.

Question 11

What are the ways that access is granted to a bucket?

Answer 11

ACLs and bucket policies.

Question 12

How can you recover objects from accidental deletion or overwrite?

Answer 12

1) Enable versioning on your bucket.

2) S3 Object Lock - uses the write once, read many (WORM) model.
• Use retention periods for locking an object for a fixed period of time
• use Legal Hold for a lock until explicitly removed.

Question 13

What are the different S3 storage classes? What are they used for?

Answer 13

• S3 Standard - general-purpose storage of frequently accessed data
• S3 Intelligent-Tiering for data with unknown or changing access patterns (uses ML to determine your needs)
• S3 Standard-Infrequent Access (S3 Standard-IA) and S3 One Zone-Infrequent Access (S3 One Zone-IA which is cheaper still) for long-lived, but less frequently accessed data. Cheap if you access less than once a month. 50% less than standard. There is a retrieval fee.
• S3 Glacier and S3 Glacier Deep Archive for long-term archive and digital preservation

Question 14

What is an archive?

Answer 14

Any object stored in a vault in S3 Glacier. It has a unique ID and optional description. When you store it, Glacier returns a regionally unique archive ID.

Question 15

What do you use to manage S3 Glacier vaults?

Answer 15

Via the management console to create and delete.

For everything else, use the CLI, REST API, or SDKs

Question 16

What is a vault?

Answer 16

A container for storing archives.
You specify its name and region.
You can lock it with Vault Lock. (for compliance; data and lock can’t be removed)

Question 17

What are the retrieval times for S3 Glacier?

Answer 17

Instant retrieval - milliseconds

Flexible Retrieval:
•Expedited - 1-5 minutes
• Standard - 3-5 hours
• Bulk - 5-12 hours

Deep Archive:
• standard - 12 hours
• bulk - 48 hours

Question 18

What is an S3 Lifecycle Policy in Lifecycle Management?

Answer 18

An automated system to move (transition) or delete (expire) your data based on age. (Saves you money on storage).

You can set rules per object or per bucket.

Works with versioning.

Question 19

What are 3 ways to encrypt data at rest in S3?

Answer 19

1) SSE-S3: Server-side encryption (SSE) with Amazon S3-managed keys. AWS handles the key, uses AES-256 algorithm. How? Put in the header: “x-amz-server-side-encryption”:”AES256”
2) SSE-KMS: Server-side encryption with AWS KMS keys (KMS keys) stored in AWS KMS. Envelope encryption, you and AWS manage the keys. Why? You can control who has access and you get an audit trail. Put in the header: “x-amz-server-side-encryption”:”KMS”
3) SSE-C: Server-side encryption with customer-managed keys. You manage the keys. Must use HTTPS. CLI only. Must include key in header because it’s discarded every time.

Question 20

How does S3 handle replication?

Answer 20

All data is replicated in at least 3 AZs (except for S3 One Zone-IA).

Question 21

What is S3 Transfer Acceleration? When would you choose this?

Answer 21

It’s a way to move data faster over long distances. It uses CloudFront global edge locations with a distinct URL (…s3-accelerate…). Once it’s uploaded, it is automatically routed to S3 using an optimized network path (AWS backbone network).

You only get charged if there is a performance improvement. Enabled at the bucket level.

Good for when :
• you have customers worldwide using the same bucket
• you transfer giga- or terabytes of data worldwide

Question 22

⭐️ What is S3 multipart upload? When would you want to do this?

Answer 22

This is a way to break large objects up into manageable parts. Once they are uploaded, S3 reassembles the object. You can’t do this with the console. Recommended for files > 100 MB. Required if > 5 GB.

Use for:
• Improved throughput: You can upload parts in parallel to improve throughput.
• Quick recovery from any network issues: Smaller part sizes minimize the impact of restarting a failed upload due to a network error.
• Pausing and resuming object uploads: You can upload object parts over time. When you have initiated a multipart upload, there is no expiration. You must explicitly complete or cancel the multipart upload.
• Beginning an upload before you know the final object size: You can upload an object as you are creating it.
• Uploading large objects: Using the multipart upload API, you can upload large objects, up to 5 TB.

Question 23

What are S3 Access Points?

Answer 23

Named network endpoints that you can use to perform S3 object operations, such as GetObject and PutObject.

They each have their own policy for permissions and network controls.

These only work for objects, not S3 operations like modifying buckets.

Question 24

What is Object Lambda?

Answer 24

You add your own code to process data from a GET request Access Point.

E.g. convert data format (XML to JSON), resize images, augment data with another service, etc.

Question 25

What are the costs for S3? What are the factors that change pricing?

Answer 25

STARRL • Storage pricing • Request and data retrieval pricing (only transfer OUT to other regions or the internet; only PUT, COPY, POST, LIST, GET requests) • Data transfer and Amazon S3 Transfer Acceleration pricing • Data management and analytics pricing • S3 Replication pricing • Processing with S3 Object Lambda

Question 26

When is S3 a good choice?

Answer 26

Use when: • Need to write once, and read many times. • Have a large number of users. • Have growing data sets. • Have spiky access to data (in this case, use S3 Standard and S3 Intelligent-Tiering.)

Question 27

What storage should I use when multiple instances need to use the same file storage?

Answer 27

You could use EBS, but only up to 16 attachments. You could use S3 but because it is object-store you don't have the high-performance and read/write capacity of file storage systems so it's not ideal. If you need high throughput changes to files of different sizes, EFS is best.

Question 28

What is AWS EFS?

Answer 28

Elastic File System. It's a managed Network File System, meaning that lots of instances in different AZs can connect to it. No need to provision for capacity, it scales automatically. Pay per use. Highly durable, scalable, and expensive. When a client makes a request, EFS routes to the "mount target" in the AZ closest to the client. Only for Linux-based AMIs (POSIX). Great for CMS, WordPress, content sharing, web serving

Question 29

What is FSx?

Answer 29

FSx for Windows and FSx for Lustre (Linux) are managed services that handle 3rd party file systems for you. Integrates with S3. Links long-term storage with high-performance file systems.

Question 30

What are the options for data migration in the Snow family?

Answer 30

For all: Transfer data and ship back to AWS, stores data in your bucket. (For uploading OR downloading) If it takes longer than a week over the network, use snow! 100TB over 1gbps = 12 days * Snow Cone - small, portable data storage device 8Tb * SnowBall Edge - 80TB device (storage or compute optimized). ❗️Has computing options, can pre-process data. * Snowmobile - shipping container on a semi. 100 PB.

Question 31

How does DataSync work?

Answer 31

Deploy a software agent on-prem through a virtual instance. Transfer data over WAN to AWS using TLS. It's a service so there is nothing to maintain.

Question 32

What is the Storage Gateway service?

Answer 32

A set of hybrid cloud storage services that provide on-premises access to virtually unlimited cloud storage. An on-prem File Gateway connects to the Storage Gateway service in the cloud. Looks like the File Gateway caches data for lower latency. Or use an Appliance Gateway on-prem. Supports: files, volumes, tapes. NFS or SMB for files, iSCSI for volumes, iSCSI VTL for tapes.

Question 33

What should I use if I have on-prem applications that need to access an S3 bucket in the cloud?

Answer 33

Storage Gateway service.

Question 34

You have 2 Linux applications in different AZs that must share the same file system. What do you use?

Answer 34

Amazon EFS.

Question 35

What protocols are supported in an AWS Storage Gateway Appliance?

Answer 35

iSCI SMB NFS

Question 36

What size can your S3 object be?

Answer 36

0 bytes --> 5TB

Question 37

What must you consider when naming a bucket?

Answer 37

It uses a universal namespace. They must have unique names, like a domain name. ⛔️ No Caps, no underscore, no IPs 3-63 chars must start with lowercase or number

Question 38

How does S3 logging work?

Answer 38

You can optionally turn on "per request" logging; files are saved in a different bucket.

Question 39

What is the difference between ACL and bucket policies?

Answer 39

ACL: Legacy feature but still in use, simple way of granting access. Bucket policy: defines more complex rule access. JSON.

Question 40

How is encryption handled in transit? At rest?

Answer 40

In transit: SSL/TLS In transit: client-side encryption. You encrypt before uploading. You can use a library like S3 Encryption Client. At rest: SSE. There are 3 options here.

Question 41

What are CRR and SRR?

Answer 41

Cross-Region Replication: You enable this and choose another region. Any object uploaded will automatically be replicated. ❗️You MUST have versioning turned on for both source and destination buckets. SRR = Same Region Replication. Same thing, just in the same region. Both can also replicate to another AWS account. Asynchronous. When you enable, only NEW objects will be replicated. (To do all, use S3 BATCH replication) You can't "chain" replication from bucket #1 to #2 then #2 to #3.

Question 42

How do you turn off versioning for an S3 object?

Answer 42

You can't on an object. Once enabled it cannot be disabled. You can only suspend versioning on the bucket.

Question 43

I have a web app and I want the user to be able to download an object that is in a private S3 bucket from a password-protected part of the app. How do I do this?

Answer 43

Generate a Presigned URL. It grants temporary access to an object (up or download) that expires in a number of seconds. (default 1 hour = 3600 secs)

Question 44

How do you keep people from accidentally deleting objects?

Answer 44

Enable MFA delete, where a user has to provide an MFA code before deleting or changing the versioning state of a bucket. ❗️Versioning must be turned on. Must use CLI to enable it. Only the bucket owner logged in as root can delete. Header in request: x-amz-mfa

Question 45

When you upload a new version of an object, does the new version inherit the properties of the previous versions? E.g. public/private settings.

Answer 45

No.

Question 46

What is the CLI command to copy a file from an S3 bucket to another location?

Answer 46

aws s3 cp s3://bucketName/folder/file.fileType destination

Question 47

❗️What features can you configure on EFS?

Answer 47

Performance: • EFS Scale Mode (auto scales to Petabyte scale) • Performance Mode: Max I/O or general • Throughput Mode: Bursting or provisioned Storage: • Standard (frequently accessed) • EFS-IA (infrequently accessed) cost per retrieval but cheaper to store Multi-AZ or 1-Zone

Question 48

When can a user access an S3 bucket?

Answer 48

``` When the IAM user-based policy allows it OR the resource-based policy (bucket, ACL) allows it AND there is no explicit deny. ```

Question 49

What is an S3 website?

Answer 49

S3 can host static websites; index.html. You must make access public.

Question 50

What is CORS?

Answer 50

Cross-Origin Resource Sharing. Trying to get resources from a different origin. Web browser-based security that only allows you to get resources from a different origin if the second origin allows it. Second origin sends headers telling the first origin what they are allowed to do.

Question 51

How does S3 CORS work?

Answer 51

If website A needs to get a resource from website B, then B needs to enable CORS in the response headers, otherwise, the request will be blocked by the browser.

Question 52

What is the S3 consistency model?

Answer 52

All operations are strongly consistent. All changes are immediately available.

Question 53

Can you put a bucket inside another bucket?

Answer 53

No.

Question 54

Where does S3 live?

Answer 54

NOT in a VPC, it lives in the public space.

Question 55

What are the ways you can connect to S3?

Answer 55

Browser - to the public endpoint Programmatically via REST API EC2 can connect from within a VPC through the Internet Gateway and public internet. ❗️EC2 can connect from within a VPC through a PRIVATE connection with the S3 GATEWAY ENDPOINT.

Question 56

What are the minimum storage durations for S3 storage classes? How long do you have to keep data before moving it?

Answer 56

Standard - N/A Intelligent-Tiering, Standard IA, 1Zone IA - 30 days Glacier - 90 days Deep Archive - 180 days

Question 57

What is MFA-Protected API Access?

Answer 57

When using the API or CLI, enforces MFA when accessing AWS resources (not just S3). In a bucket policy, the condition will look like this: "Condition":{"Null": {"was:MultiFactorAuthAge": true}} This denies any API operation that does not use MFA.

Question 58

What happens to new and existing objects when I enable default encryption on a bucket?

Answer 58

New objects: If unencrypted then it will encrypt. If encrypted, then nothing happens. (It won't re-encrypt.) Existing objects: Nothing. Only NEW objects will be encrypted.

Question 59

What is an S3 Event Notification?

Answer 59

Sends notifications when events happen in buckets to: SNS, SQS, Lambda & EventBridge.

Question 60

What is S3 Select (or Glacier Select)?

Answer 60

A way to use simple SQL to access objects (or objects within objects like a zip file) on S3. You can filter out the data you don't need on the server, which costs less in transfer and client-side CPU. ❗️Query based on the bucket's name and object's KEY Need Lambda?

Question 61

We need our architects to have programmatic and console access ACROSS AWS ACCOUNTS.

Answer 61

Configure cross-account access using IAM roles.

Question 62

What gets evaluated first, bucket policies or default encryption?

Answer 62

Bucket policies. Default encryption works like your backup in case you forgot to encrypt.

Question 63

What are S3 access logs?

Answer 63

Logs for ALL requests to S3, then you can use these for analysis. The logs are saved in a different bucket.

Question 64

⭐️ I don't know when I should move objects in S3 to a different tier. What tool can help me?

Answer 64

S3 Analytics - Storage Class Analysis (not for 1Zone or Glacier). • Daily report

Question 65

What is a way to speed up the performance of a download from S3?

Answer 65

Byte-Range Fetch. Divides up the file and fetches specific ranges in parallel. Also good if you only need one part of the file.

Question 66

What is S3 Requester Pays?

Answer 66

A setting where the requester who downloads from S3 pays the networking cost for the download (not storage). The requester must be authenticated in AWS.

Question 67

Something something analyze data in S3 using serverless SQL...

Answer 67

Athena.

Question 68

How do you get data from Snowball to Glacier?

Answer 68

You can't do it directly. | Snowball to S3, then lifecycle policy to Glacier.

Question 69

When would you use FSx for Lustre?

Answer 69

Lustre = "Linux cluster" ❗️ML, HPC (video, financial modeling, etc) Seamless integration with S3 Can be used on-prem with VPN or DirectConnect

Question 70

What are the 2 deployment options for FSx?

Answer 70

``` Scratch file system • temp storage • not replicated • super speedy • FOR - short-term processing, save $ ``` Persistent file system • long-term storage • replicated in same AZ (failures replaced in minutes) • FOR - long-term processing, sensitive data

Question 71

What types of storage gateway are there?

Answer 71

File - NFS (Network File System), SMB • S3, IA • recently used data is cached in the gateway • ❗️integrated with Active Directory for user authentication Volume - iSCSI • cached volume gateway • stored volume gateway - all data is on-prem with scheduled backups to S3. • S3 to EBS snapshots Tape iSCSI VTL • Virtual Tape Library (VTL) backed by S3/Glacier Connects to the cloud: EBS, S3, Glacier

Question 72

What if I don't have the virtual servers to run the different gateways on-prem?

Answer 72

You can use Storage Gateway Hardware Appliance. Will have all you need to run the gateway for you. Good for daily NFS backups where you don't have virtualization available.

Question 73

What is the FSx File Gateway?

Answer 73

Native access to FSx for Windows file server. Lives on-prem, connects to FSx in the cloud. * ❗️Has a cache for frequently accessed data * windows native (Active Directory, SMB, NTFS, etc.)

Question 74

I want to transfer data in and out of S3 or EFS, but I want to use FTP instead of APIs. What are my options?

Answer 74

AWS Transfer Services You can store user credentials or integrate with 3rd party (LDAP, Cognito, AD) 3 Flavors: FTP (only within VPC) SFTP FTPS Service assumes IAM role to access S3/EFS

Question 75

Data in an S3 bucket has a lifecycle policy that moves older data to Glacier every month. You should be able to retrieve required data in under 15 minutes and should handle up to 150 MB/s of retrieval throughput. Which of the following should you do to meet the above requirement? (Select TWO.)

Answer 75

Expedited retrievals allow you to quickly access your data when occasional urgent requests for a subset of archives are required. Provisioned capacity ensures that your retrieval capacity for expedited retrievals is available when you need it.

Question 76

A company plans to use a durable storage service to store on-premises database backups to the AWS cloud. To move their backup data, they need to use a service that can store and retrieve objects through standard file storage protocols for quick recovery. Which of the following options will meet this requirement?

Answer 76

File Gateway presents a file-based interface to Amazon S3, which appears as a network file share. It enables you to store and retrieve Amazon S3 objects through standard file storage protocols. File Gateway allows your existing file-based applications or devices to use secure and durable cloud storage without needing to be modified. With File Gateway, your configured S3 buckets will be available as Network File System (NFS) mount points or Server Message Block (SMB) file shares.